The Target Video Easy Publish plugin allows authenticated users with Contributor or higher privileges to store arbitrary JavaScript through the placeholder_img parameter, because the input is not properly sanitized or escaped. When the affected content is viewed, the injected script runs in the context of the site, enabling typical XSS consequences such as session hijacking, defacement, or the loading of malicious resources. The vulnerability is a classic insecure input handling (CWE‑79) that compromises the confidentiality, integrity, and availability of the site users' browsers. Based on the description, the attack vector is an authenticated session—any contributor can perform the injection without the need for additional privileges.

WordPress installations that have the Target Video Easy Publish plugin version 3.8.8 or earlier. Any site using this plugin up to that release is susceptible, regardless of theme or other plugins.

The CVSS score of 6.4 indicates moderate severity, but the EPSS score of less than 1% shows a low probability of exploitation at present. The issue is not listed in the CISA KEV catalog. Because the flaw requires authenticated Contributor+ access, the potential impact is constrained to sites where such roles are present, yet it still poses a significant risk to any user who views the stored content. None of the references indicate a publicly available exploit, but the nature of XSS makes this vulnerability a likely target for automated attack scripts if an attacker gains legitimate Contributor privilege.